How to Remove Malware from MacOS

Before starting the “removing” part, make sure you note your Mac’s symptoms and compare with the ones explained here – characteristic for malware and more particularly for DownLite trojan.

Malware (malicious apps) add a browser helper objects in Safari, Firefox, and Chrome. While doing so, they do NOT request permission from the administrator. They also change browsers’ preferences such as homepage and default search engine. Furthermore, they may display advertisements whenever you go to your every-day regular websites, search engines, or e-commerce sites. DownLite trojan particularly makes you visit this site search.conduit.com.

Note: Before performing any of the following steps I highly recommend backing up your Mac’s data.

Method #1 Remove Malware with Malwarebytes

Step #1: Reset Browsers

First, reset your Internet browsers’ settings.

  • For Safari
    1. On the Safari menu bar, click on Safari and choose Reset Safari. Now, make sure you select all boxes, and click Reset.
  • For Chrome
    1. While in Chrome click the menu icon and choose Settings.
    2. Now, click on Show Advanced settings (at the bottom of the page).
    3. Then select Reset browser settings (at the bottom of the page).
    4. Confirm by clicking Reset once again.
  • For Firefox
    1. While in Firefox click the menu button and click on Help.
    2. From the next menu choose Troubleshooting Information.
    3. Now, click on the Refresh Firefox… button in the top left area of the new page.
    4. Confirm your action by clicking on Refresh Firefox once again.

Step #2: Download and Install Malwarebytes for Mac

Note: Malwarebytes for Mac works on macOS and Mac OS X 10.7 or later. If you are using this method, make sure you have a supported OS version.

  1. Download Malware from its official site (www.malwarebytes.com/mac/). DO NOT download any Malwarebytes files from untrusted sites. They worsened your situation.
  2. Once the download finishes, doubleclick the .dmg file to open it.
  3. Now, a window will appear showing you the Malwarebytes icon and your Applications folder. Drag and drop Malwarebytes onto the Applications folder.

Step #3: Scan your Mac using Malwarebytes

  1. Go to Applications (Click Go on the Mac menu bar and select Applications).
  2. Doubleclick the Malwarebytes icon. (or right-click it and choose open from the menu). If a prompt opens up (asking you if you are sure you want to open the app), click on open.
  3. Choose Agree in the next prompt. You will see this one if you are launching Malwarebytes for the first time on your Mac.
  4. Now, close all running programs on your Mac except Malwarebytes, and click on Scan.

Once the scanning is done, the malware and adware apps should been removed.

Method #2 Manually Delete Malware (Advanced Users Only)

To remove DownLite trojan (or any other) malware from your Mac, you need to locate and delete its files.

Step #1: Locate the Malware (DownLite trojan) on your Mac

  • Approach #1
    1. Tripleclick on the text provided below, to select the whole string (line of text).
      • /Library/LaunchAgents/com.vsearch.agent.plist
    2. Control + Click (or rightclick) while the string is selected.
    3. Select Reveal in Finder (or just Reveal) from the menu.
  • Approach #2
    1. If you do NOT see the contextual menu after clicking right click (or command + click), copy the selected text to the Clipboard (press Command + C).
    2. Now, click Go on the Finder menu.
    3. Select Go to Folder, and paste the text (press Command + V) into the box that opens up.
    4. Now press Return.

Step #2: Remove Malware from your Mac

  1. Once the Finder launches, a file (Vsearch) will be selected. Drag that file into the Trash, and type your administrator password if required.
  2. Repeat the procedure for each of the following files of DownLite trojan.
    • /Library/LaunchDaemons/com.vsearch.daemon.plist
    • /Library/LaunchDaemons/com.vsearch.helper.plist
    • /Library/LaunchDaemons/Jack.plist
  3. Once you delete them, restart your Mac.
  4. Now, empty the Trash and repeat the same procedure for the following items:
    Note: Some of the items may be absent. In that case, you will get a message that the file cannot be found. When this happens, just skip that item and continue with the next one.

    • /Library/Application Support/VSearch
    • /Library/PrivilegedHelperTools/Jack
    • /System/Library/Frameworks/VSearch.framework
    • ~/Library/Internet Plug-Ins/ConduitNPAPIPlugin.plugin
  5. When you are done, restart your Mac again and empty the Trash.

The same procedure can be applied to other

malware programs. Here are some other known malware and the files that you need to delete to remove them from your Mac.

  1. ChatZum
    • /Applications/ChatZumUninstaller.pkg
    • /Library/Application Support/SIMBL/Plugins/SafariOmnibar.bundle
    • /Library/Internet Plug-Ins/uid.plist
    • /Library/Internet Plug-Ins/zako.plugin
  2. Conduit
    • /Library/InputManagers/CTLoader/
    • /Library/LaunchAgents/com.conduit.loader.agent.plist
    • /Library/LaunchDaemons/com.perion.searchprotectd.plist
    • /Library/Application Support/SIMBL/Plugins/CT2285220.bundle
    • /Library/Application Support/Conduit/
    • /Applications/SearchProtect.app
    • /Applications/SearchProtect/
    • ~/Library/Application Support/Conduit/
    • ~/Library/Internet Plug-Ins/ConduitNPAPIPlugin.plugin
    • ~/Library/Internet Plug-Ins/TroviNPAPIPlugin.plugin
    • ~/Conduit/
    • ~/Trovi/
    • For Firefox
      ~/Library/Application Support/Firefox/Profiles/
      Inside this folder open the folder that starts with random characters and ends with “default.” Now remove the following files:
      js
      takeOverNewTab.txt
      searchplugins/[any file with “Conduit” in the name].xml
      searchplugins/MyBrand.xml
  3. Spigot
    • ~/Library/LaunchAgents/com.spigot.SearchProtection.plist
    • ~/Library/LaunchAgents/com.spigot.ApplicationManager.plist
    • ~/Library/Application Support/Spigot/
    • OperatorMac
    • ~/Library/Application Support/Google/Chrome/Default/chromex
    • ~/Library/Application Support/Google/Chrome/Default/chromexdm
    • ~/Library/Application Support/mediahm
    • ~/Library/LaunchDaemons/com.mediahm.operator.update.plist
    • For Firefox
      ~/Library/Application Support/Firefox/Profiles/
      Inside this folder open the folder that starts with random characters and ends with “default.” Now remove “mySearchPlug.xml” if present.

Step #3: Clean up Safari, Chrome, and Firefox

  1. Launch Safari, and choose Preferences > Extensions from the Safari menu bar.
  2. Uninstall any extensions you don’t use or don’t recognize. Especially look for any that have the word “Conduit” or “Spigot” in the description. If in doubt, remove all extensions.
  3. For best results reset Safari (Safari > Reset Safari, make sure you select all boxes, and click Reset)
  4. Do the same procedure for Chrome and Firefox (if you use either of those).

DownLite trojan (and most of the other malware programs) are usually distributed on illegal websites that provide pirated movies. If Mac’s user opens up such sites and follows instructions to install software, that may further worsen the situation.

Gatekeeper doesn’t prompt any warning about installing DownLite trojan software. The reason is that the DownLite developer has a codesigning certificate issued by Apple. That’s why Gatekeeper doesn’t declare it as an unknown-developer and gives the installer a pass.

Note: Malware is continually changing to get around the defenses against it. The instructions given in this article are valid at the time of writing. But, they won’t necessarily be accurate in the future.

 

Check Also

How to Root the LG Aristo 2

The LG Aristo 2 LM-X210 is recently released budget-friendly LG phone, released in USA for …